Research has found that very few companies have a full security strategy in place and where they do, it is rarely seen as ‘fit for purpose’.
Recent work by Perpetuity found that only one-third of organisations had a security strategy that had been approved by the Board. Many did not have specific objectives to guide the work of the security function within the organisation and less than a third had a security strategy with measurable deliverables linked directly to organisational objectives. Furthermore according to security providers, nearly two-thirds estimated that fewer than 15 per cent of their clients had a security strategy in place. In addition where security strategies did exist most were not deemed to be fit for purpose.
Whilst the majority of organisations seemingly do not have a security strategy, many directors recognise that they should.
Why is a security strategy so important?
Without a security strategy it will often not be clear how the security function contributes to the overall aims of the organisation. Unsurprisingly then security can be marginalised, or at least it does not fulfil its potential to generate competitive advantage.
Good security strategies help an organisation to have good security management and corporate governance of the organisation.
A security strategy linked directly to the wider strategy for the organisation provides direction, and a reference point to establish priorities.
Developing a good strategy and learning how best to implement it is crucial to successful security and good business.
Security leaders need to have at least a basic understanding of strategic planning, including its development and implementation. Strategic planning is a fundamental element of successful companies and is a crucial part of managing delivery.
"I consider the work to be a model of clarity, both in the field of security strategy and business strategy more generally. It strikes exactly the right balance of detail, focus and simplicity and is likely to be of use both to a novice security strategist as a clear route map, and also to a veteran strategist as a mnemonic and check list to ensure that all the bases are covered."
Tony Marsh, Royal Mail
The benefits of having a security strategy
Having a good security strategy in place can provide you, your security department and the organisation with a range of benefits. A security strategy can:
Provide stakeholders with a clear understanding of what your security function is trying to achieve.
Help in aligning the security function with the business priorities to achieve competitive advantage.
Enable all staff to better understand why security is important and how it can add value.
Offer a framework to guide the direction and focus of your security function and help to embed security within all systems, procedures and processes.
Help you to be proactive in your response to security anticipating security issues.
Help you to review the performance of your security function and gain greater awareness of the challenges and risks you face.
Inform budget development and document the value security adds to an organisation.
Help to protect your organisation’s profit, reputation, brand, assets, customers, suppliers and employees.
Improve the corporate resilience and sustainability.
"A security strategy gives a greater awareness of the challenges you are facing, a shared platform that colleagues and other departments or divisions can discuss relevant topics. A base from which you can develop resource allocation processes, a method of evaluating your successes and failures."
"A security strategy is a useful communication tool between the security department and the rest of the organisation. It allows them to see what it is your doing, when and it’s easier to get other organisations involved in what you are doing."
"It helps me when I’m trying to put forward a case to line management. It helps to inform them about what I am thinking, and justify the reasons why."
